Presentation is loading. Please wait.

Presentation is loading. Please wait.

Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet.

Published byMarian May Modified over 8 years ago

Similar presentations

Presentation on theme: "Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet."— Presentation transcript:

1 Harness Your Internet Activity

2 Random Subdomain Attacks Plaguing the Internet

3 Brief Intro –Covered at last OARC –Attack overview Latest data –Progress on open dns proxies in home gateways –Impact of Response Rate Limiting? –Chinese pornography sites –Hong Kong news site Testing resolvers –(Over) ambitious idea! What can we do? –Success filtering ingress traffic, some challenges –??? 3 Agenda

4 4 Random Subdomain Attacks RANDOMTARGET NAME wxctkzubkb..liebiao.800fy.com qzgziliv. 11hehe.com two labels three labels

5 Random Subdomain Attacks 1 Internet Query with randomized subdomains 2 Authoritative Server Compromised hosting Recursive queries Open DNS Proxy (Home Gateway) 3 NXD responses ISP Target Web Site Open DNS Proxies are the Vector for Attacks ISP Resolver

6 6 Latest Data: Unique Names Millions Start of attack activity Jan 28, 2014

7 7 Impact of Response Rate Limiting Border Home Gateway Resolver Authority Spoofed IP Query (UDP): Ivatsnkb.web.pay1.cn Proxy query, translate IP Recursion NXD Spoofed IP Proxy query, translates IP Spoofed IP Query (UDP): Ivatsnkb.web.pay1.cn Proxy query, translate IP Recursion Truncate Bad Case Worse Case Response Rate Limiting Retry TCP NXD Proxy query, translates IP Spoofed IP Attacker

8 8 Attacks at Scale Proxy query, translate IP Recursion Truncate Response Rate Limiting Border Home Gateway Resolver Authority Attacker Retry TCP Authority Fails High traffic with TCP overhead Resolver doesn’t get responses, tries new Authorities, cascading failures Spoofed IP Randomized queries Resolver stress TCP overhead

9 Sept 28, 2014 UTC Height of Hong Kong democracy protests Distinct shift in tactics – 98% of attacks on one domain –Typical day 4-6 domains attacked, usually gaming sites Hong Kong online news Passion Times Website offline 13 hours 9 Hong Kong News Site

10 Sept 25/26 2014 (UTC) Another shift in tactics 42 domains attacked simultaneously Attack lasted 6 hours Most web sites went down Motive for most attacks remains unclear –Monetization is likely very modest –Collateral damage across the Internet far exceeds revenue from DDoS for hire 10 Chinese Pornography Sites

11 11 Sept 25/26 Attacks Data from 5 providers Volume of attack queries In Millions Small fraction of overall attack activity Nominum est << 5% 80 40 10 45 25 5

12 12 Sept 25/26 Attacks Data from 5 providers % attack queries 60 30 10 35 20 5

13 13 Oct 3- 6 Attacks In-media is an Independent Hong Kong news site 25 15 5 millions

14 Home Gateways mask the spoofed source IP –“Challenges”, “DNS cookies” won’t work at either resolvers OR authorities –Queries are from legitimate IPs – blacklisting eliminates all traffic for those IPs Response Rate Limiting by authorities increases the workload for both resolvers and authorities –It was designed for attacks directly on authoritative servers –Rate limiting resolvers is counter productive Surrounding recursion with too much logic can be problematic –Doesn’t address root cause –Collateral damage is observed: Servers marked as non-responsive by recursor recovering but still not being used Nameservers serving multiple domains taken out of service by traffic for one domain Tendency for cascading failures –Authorities successively fail increasing stress on remaining authorities –This in turn increases stress on resolvers 14 Many Problems to Address

15 Filter traffic at ingress to the resolver –Near real time block lists Randomized subdomains used for attacks Protect good traffic –Whitelist Fine grained policy –Tie the lists together: Block bad traffic Answer good traffic 15 Solutions IDEAS?

16 Goal: Understand impact of PRSD on resolvers –BIND –PowerDNS –Undound –Vantio Method: Simulate DNS E-E behavior –Attack behaviorEasy –ResolversEasy –AuthoritiesHard –Variability of InternetVery hard Whoops! 16 Testing Resolvers

17 Authoritative server answers up to threshold, then randomly drops Authoritative server switches to TCP at threshold, then restricts tcp connection slots Authoritative server drops traffic for attack domains, answers other domains Authoritative server doesn’t answer, other servers for domain successively fail, vary latency response latency IDEAS? 17 Current Test Plan

Download ppt "Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet."

Similar presentations

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.
Network Security Highlights Nick Feamster Georgia Tech.

Network Security Highlights Nick Feamster Georgia Tech.
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.

Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
------ An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Module 3 DNS Types.

Module 3 DNS Types.
1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Harness Your Internet Activity. Zeroing in On Zero Days DNS OARC Spring 2014 Ralf Weber

Harness Your Internet Activity. Zeroing in On Zero Days DNS OARC Spring 2014 Ralf Weber
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Similar presentations

Ads by Google